Quick question about SQL injections

Discuss the many weaknesses of browser security and ways to mitigate the threat

Quick question about SQL injections

Post by Shadow545 on Tue Oct 08, 2013 9:51 pm
([msg=77634]see Quick question about SQL injections[/msg])

I have found a vulnerable site ( I checked by putting an apostrophe at the end of the id=x ), but when using ORDER BY to find the number of columns, i go up to 99999999 and there is still no error. Is there anyway around this, or does it mean that it's actually not vulnerable at all? My syntax is right, so thats not the problem.
Shadow545
New User
New User
 
Posts: 5
Joined: Sun Aug 18, 2013 2:21 pm
Blog: View Blog (0)


Re: Quick question about SQL injections

Post by Goatboy on Tue Oct 08, 2013 10:41 pm
([msg=77635]see Re: Quick question about SQL injections[/msg])

What you mean to say is that you found a flaw in a site you personally run.
Assume that everything I say is or could be a lie.
1UHQ15HqBRZFykqx7mKHpYroxanLjJcUk
User avatar
Goatboy
Expert
Expert
 
Posts: 2785
Joined: Mon Jul 07, 2008 9:35 pm
Blog: View Blog (0)


Re: Quick question about SQL injections

Post by -Ninjex- on Wed Oct 09, 2013 1:53 am
([msg=77637]see Re: Quick question about SQL injections[/msg])

It all depends on what is getting displayed back on the webpage; see if images are changing, etc. I couldn't really tell since I am not looking at it myself. You should read up on all the types of SQLi blind/inferential/etc. In short, the site may still be vulnerable, yes; especially if you received an error somewhere.
If you're not willing to learn, no one can help you. If you're determined to learn, no one can stop you.⠠⠵
The absence of evidence is not evidence of absence.
I can explain it for you, but I can't understand it for you.
User avatar
-Ninjex-
Addict
Addict
 
Posts: 1238
Joined: Sun Sep 02, 2012 8:02 pm
Blog: View Blog (0)


Re: Quick question about SQL injections

Post by mShred on Sat Oct 12, 2013 9:18 pm
([msg=77671]see Re: Quick question about SQL injections[/msg])

What is there error that you're getting with the when adding the apostrophe?
Image

For those about to rock.
User avatar
mShred
Administrator
Administrator
 
Posts: 1686
Joined: Tue Jun 22, 2010 4:22 pm
Blog: View Blog (2)


Re: Quick question about SQL injections

Post by Shadow545 on Sun Oct 13, 2013 5:17 pm
([msg=77674]see Re: Quick question about SQL injections[/msg])

There are missing pictures and the page looks different, there is no actual SQL error message though.
Shadow545
New User
New User
 
Posts: 5
Joined: Sun Aug 18, 2013 2:21 pm
Blog: View Blog (0)


Re: Quick question about SQL injections

Post by Goatboy on Sun Oct 13, 2013 8:12 pm
([msg=77676]see Re: Quick question about SQL injections[/msg])

They're probably pulling images and even page elements from the DB.
Assume that everything I say is or could be a lie.
1UHQ15HqBRZFykqx7mKHpYroxanLjJcUk
User avatar
Goatboy
Expert
Expert
 
Posts: 2785
Joined: Mon Jul 07, 2008 9:35 pm
Blog: View Blog (0)


Re: Quick question about SQL injections

Post by -Ninjex- on Mon Oct 14, 2013 12:32 pm
([msg=77678]see Re: Quick question about SQL injections[/msg])

Look specifically into inferential SQLi

Code: Select all
SQL Injection can be broken up into
3 classes:

Inband
data is extracted using the same channel that is used to inject the SQL code.
This is the most straightforward kind of attack, in which the retrieved data is presented
directly in the application web page

Out of Band
data is retrieved using a different channel (e.g.: an email with the results of
the query is generated and sent to the tester)

Inferential
there is no actual transfer of data, but the tester is able to reconstruct the
information by sending particular requests and observing the resulting behaviour of the
website/DB Server.

- Joseph McCray


The above is a snippet outlining the different types of SQLi from Joseph McCray during a defcon speech that you can find here: http://hts.io/1lOvA

(off topic I will be back 100% tomorrow night)
If you're not willing to learn, no one can help you. If you're determined to learn, no one can stop you.⠠⠵
The absence of evidence is not evidence of absence.
I can explain it for you, but I can't understand it for you.
User avatar
-Ninjex-
Addict
Addict
 
Posts: 1238
Joined: Sun Sep 02, 2012 8:02 pm
Blog: View Blog (0)



Return to Web

Who is online

Users browsing this forum: No registered users and 0 guests